Zero Trust and PSM: Effective Privileged Accounts Security and Breach Prevention with EmpowerID
With 62% of security breaches attributed to privileged accounts, current practices are unsustainable, and change is long overdue. However, with their elevated entitlements, they require special attention. In combination with Zero Trust, EmpowerID’s Privileged Session Management delivers exactly that.
Manage & Record Privileged Sessions
Provides stringent, effective measures to counter the high number of security breaches attributed to privileged accounts abuse.
Unlimited Zero Trust Zoning
Though Microsoft limits you to just 3 zoning tiers, EmpowerID’s micro-segmentation unlocks unlimited capacity.
Self-Service Server Access
Automating your business and empowering your users is the way forward. EmpowerID’s IT Shop delivers that and much more.
- Manage and Record Privileged User Sessions – though indispensable, privileged accounts are not without risk. Discover how EmpowerID’s PSM not only supports Zero Trust, but also helps delivers the security your organization needs.
- Zero Trust Zoning – knowing full well that Windows’ limitation of 3 basic zoning tiers is insufficient and constraining, EmpowerID improved on that and expanded it to unlimited.
- Self-Service Server Access Shopping – provisioning your users with the ability to self-service is a win-win. The EmpowerID IT Shop and automated workflows do just that. With full tracking and logging capability, it has neither been better nor easier.
- daptive MFA for Server Access – AMFA is a proven means of both easing user adoption of new login methods and in providing more intelligent security for your organization.
- Server Discovery – for a security solution to be effective, it needs to be able to connect to, and encompass, as many systems as possible. With its wide range of out of the box IGA connectors, EmpowerID does all that, and more, automatically.
Watch a short demo video of EmpowerID’s Privileged Session Manager:
Manage and Record Privileged User Sessions
When you consider that 62% of security breaches are attributed to privileged accounts abuse, it raises questions around constraint, limitation, and prevention.
On the one hand, you need these elevated accounts to keep both essential and non-essential systems running. Yet, on the other, the almost unlimited access to system resources they require poses enormous business risk
The only feasible answer here is with the Zero Trust model.
Though the Zero Trust principles of never trust and always verify are applicable here, the third principle is also key.
This 3rd principle states that only the minimal access required should ever be be granted, and only for the minimal time period required. Furthermore, Zero Trust also stipulates that, where possible, all access should be proxied and monitored.
EmpowerID’s Privilege Session Manager (PSM) delivers this.
PSM acts as a web-based gateway to provide authorized users with RDP or SSH access to Windows or Linux servers. But it does so without ever exposing the servers to actual network access.
This dramatically simplifies network security concerns as locations are irrelevant–your users and servers can be anywhere.
The only constraint here is access between the user and the web interface of the PSM itself, and then between the PSM Gateway and the server(s) the user wishes to reach.
- Eliminating VPNs reduces costs and associated bottlenecks that, typically, reduce overall user experience and productivity
- Proxying access prevents direct network connectivity to servers and removes most common malware and hack exploits.
- Strong adaptive identity verification can be enforced.
- Sessions can be optionally recorded as videos for later compliance investigation or verification.
Regardess, in all cases, the password of the privileged credential is never revealed to the end user and eliminates any potential for sharing or misuse.
Zero Trust Zoning
On Windows machines, any local admin has access to the cached passwords for the last x (typically 10) users who have logged into that machine.
From the hackers perspective, they will try and trick one of your users into either opening an email or clicking on a link on a computer where the user has local admin privileges. Once they do, the malware initiates and the hacker is in
That hacker now has access to all those cached passwords. Their next step would either be to install software to do yet more damage or to move laterally in an attempt to target higher value servers.
(Imagine if a domain admin had previously logged into that pc and the hacker managed to discover them and their password? Now they can lay your organization bare and we will see you on the front-page soon!)
Unfortunately, recent history has shown that it is impossible to stop hackers. They will always find a way in.
Consequently, the approach is to minimize the damage they can do. We do this by zoning (aka tiering). Zoning seeks to limit:
- where hackers can go
- which cached privileged credentials might be available locally on compromised PCs.
In the same way that you work with network controls such as subnets, routing tables, and firewall rules, zoning can be done at the user access level.
EmpowerID’s micro-segmentation strategy removes Microsoft’s own limitations
Microsoft proposes 3 basic tiers for granting credentials in a Windows network:
- AD domain controllers
However, EmpowerID will prove to be an invaluable tool here because it removes this limitation and allows you to implement as many zones as your organization’s security requires EmpowerID’s PSM enforces a Zero Trust zoning or “micro-segmentation” strategy. Instead of elevating the access of the user’s existing account, this PSM micro-segmentation strategy allows an organization to use pre-provisioned shared accounts for server access. It also does this without ever revealing the passwords. Within EmpowerID, your own admins will explicitly define which vaulted privileged credentials will be available for use by your admins for specific servers, by zone. Note: this is a best practice in avoiding lateral movement or pass-the-hash attacks.
Self-Service Server Access Shopping
EmpowerID’s IT Shop brings a well-known shopping cart experience to all access requests, including requesting and launching privileged session access to servers.
Withing the IT Shop, users simply search for, and locate, the computer to which they need access. They then click to request use of a vaulted credential for their desired time period.
Time limits, approval processing, session recording, and privacy settings are all controlled by privileged credential policies
If a request requires approval, EmpowerID automatically generates workflow tasks, routes them to the specified recipients, tracks the status throughout, and notifies participants via email.
EmpowerID also tracks and records all requests, decisions and associated fulfillment actions for audit purposes.
Adaptive MFA for Server Access
For most hackers, gaining access to your organization’s key servers is akin to striking the motherlode.
Sadly, passwords continue to be the weakest link in most organization’s security strategy—both the passwords themselves and the practices surrounding them—and they expose a huge gap.
However, though Multi-Factor Authentication (MFA) for server access is a proven means to plug this gap, research has shown that users are resistant to change
EmpowerID’s Adaptive MFA eases the adoption of more secure identity verification procedures by responding to user login attempts based on your organization’s own policies.
For example, you can specify that users aren’t forced to perform MFA on every server access attempt but rather only when the circumstances warrant it.
These circumstances can be graded, of course. For example, you could set a less stringent set of conditions until users are comfortable with the new system and then reconfigure at a later time.
EmpowerID provides users a wide range of friendly options including:
- One-time passwords (OTP)
- The EmpowerID Mobile phone app which allows users to click to approve their identity verification request
- FIDO/Yubikey tokens
- 3rd parties such as DUO, etc.
Your organization needs a complete Identity Management Security solution. One that encompasses as many, if not all, of the systems your organization contains.
EmpowerID includes one of the largest libraries of IGA system connectors available and helps achieve that.
The Privileged Session Management solution itself benefits from this convergence and leverages the connection that EmpowerID makes.
This connection facilitates automatic discovery of your computers, virtual machines, and privileged credentials. In addition, local computer identities and access can optionally be discovered and managed with the Computer Identity Management module
Once connected, EmpowerID automatically discovers computers, computer objects, and virtual machines wherever they may reside.
Moreover, the most popular platforms for running virtual workloads are supported including: Amazon AWS, Azure, and VMware VCenter.
With computer objects, these can either be automatically discovered from your Active Directory or they can be registered manually in friendly web-based workflows.
Finally, server discovery not only allows your admins to maintain an up to date inventory of the assets they are managing, but also simplifies the process for configuring servers for PSM access.